Category: PCI Compliance

I was on the phone with a tech from Payment Logistics, one of the CC processors that Liberty integrates with, along with a client. To make a long story short, their credit card terminals only work when they have static IP addresses assigned – they do not support DHCP. This means, each terminal has to be manually configured.

For any SysAdmins or techs out there, you are likely already seeing the shortcomings here. The device should be able to connect to the network and obtain an IP address via DHCP — IP address management can be managed centrally in the router, thus lifting the burden off of the customer.

By requiring each terminal to have a static IP, you put the burden on the end-user. If anything changes — e.g. they get a new router — ALL of the credit card terminals have to be reconfigured.

When I pointed out this shortcoming to Payment Logistics, they got defensive and started asking, “What do you know about PA-DSS?”“What do you know…” — a great way to show you’re more interested in stroking your ego vs. dealing with facts. After a period of time on the phone, the end-user was calling out which menu options he saw and lo and behold, it has DHCP. When I asked the Payment Logistics tech why we can’t just use DHCP, he said their terminals currently only work with a static IP, but they have a new version in beta which will support DHCP.

So we took the loooooooong way around them simply stating, “Yes, right now our terminals only support static IPs, which we realize is enough of a shortcoming that we’re adding DHCP functionality and it’s currently in beta.” Instead of just saying that, they tried to ‘protect’ themselves and get into a pissing contest.

As of right now, I can’t faithfully recommend Payment Logistics to our clients who are running Liberty, as this puts a tremendous amount of burden on the end-user and it’s an obvious shortcoming. Did Liberty/Resaleworld tell you all of this before they recommended this credit card processor? Did they go over the amount of work and burden it puts on you? I’m sure all of you have SysAdmins out there or know how to manually configure your devices’ IP address settings, right?

You each have programs that hundreds, even thousands of customers have spent thousands of dollars on. They utilize your programs to run their businesses. These are real people, who work very hard, and who make your companies what they are today.

Consignment software and software in general, is a unique industry in that, to those on the outside, it can seem that software development is ‘magic’ or something only someone special can comprehend. Software is like sausage – you don’t want to see how it’s made.

Software developers are normal human beings, who make mistakes. They can be under time constraints or budget constraints. Just like there is more than one way to install flooring in your home, there is more than one way to solve a problem with software. Their solution to a problem, isn’t always the best one – sometimes, it’s the least-expensive or quickest one and sometimes, that causes problems for the users of the software. As a user who spends $1,000 on a program, they can’t help but have the expectation that the developer attempts to own and fix every legitimate bug presented to them, and spends all day, every day, looking at the ways they can improve their software to make it easier to use, more stable, less error-prone, and more reliable.

A common response you’ll hear from the vendors is, “All software has bugs.” You’re right, but to utilize that response to all bugs and deficiencies in your software, is a cop-out.

There is this seemingly-gray area where the software vendors will blame issues with their software, on the computers you’re running it on, or on some “seemingly far-beyond-your-understanding” issue that is so complex and ultimately, not an issue with their software.

Vendors, it’s time to stop this. Not for us, but for your customers. The Computer Peeps don’t get a “kick” out of proving your software is the issue or needs to be improved. This is not a game, these are not opinions. We ask on behalf of your customers, that you stop denying the issue is your software, when it is 100% verifiable. You make yourself come off worse than if you would simply own up to the verifiable issue and let your customers know you’re going to take steps to fix it. You’re wasting our time and more frustrating, is when you make your customers waste not hours, not weeks, but months on an issue.

So please, we ask that for the benefit of your paying customers, that you stop putting up such walls when legitimate issues are brought to your attention.

The Computer Peeps look forward to seeing a positive change amongst the vendors and regardless of what the vendors do or don’t do, The Computer Peeps will continue to be stewards of proper and secure system configuration.

A client of ours received an email warning her that someone had used her Apple ID to download an app:

[hr]

Apple Phishing Email

[hr]

This email did not come from Apple. This is a fake email, known as a phishing email, and they’re trying to bait the recipient into clicking on the links in the message. The message tries to trick the recipient into thinking their Apple account has been compromised, when in fact, the message itself, is attempting to do just that.

The links do not lead to Apple’s website. Instead, the links lead to a malicious website:

[hr]

Apple ID Phishing Link

[hr]

This is the first place your Web Browser makes a difference.

If you use Internet Explorer and click that link, it does nothing to stop it (and that’s with Smart Filter protection enabled).

If you use Firefox, it detects it is a malicious link:

[hr]

Firefox Phishing Protection

[hr]

If you use Chrome, it detects it is a malicious link:

[hr]

Chrome Phishing Protection

[hr]

By no means should you rely on your browser as your sole point of Web security, but you can see how Internet Explorer compares to Firefox and Chrome when it comes to ‘safe browsing’.

Next, you get to see how well your antivirus holds-up. For you Microsoft Security Essentials users out there, it does nothing to detect, nor prevent this phishing attack. If you’re utilizing ESET NOD32, you’re in better shape:

[hr]

ESET NOD32 Antivirus Phishing Protection

[hr]

[info_box style=”notice”]The Computer Peeps recommend a layered approach to Web Security, including OpenDNS Web Filter, Firefox w/ NoScript, AdBlock Plus, and Public Fox, as well as logging-in to your system as a non-admin + utilizing ESET NOD32 Antivirus (or one of the top performing antivirus solutions).[/info_box]

[hr]

The takeaways from this post:

[hr]

[checklist]

Be cautious and aware of emails that are trying to get you ‘riled up’, so you click on something without thinking.

Utilize an email service that does a good job of filtering out fake/fraudulent emails – e.g. Gmail/Google Apps for Business.

We’ve compiled five very specific reasons why consignment and resale stores (or any business) should not use Microsoft Security Essentials (MSE).

First and foremost, what is Microsoft Security Essentials? Microsoft Security Essentials is free security software provided via Microsoft. On Windows 7, Microsoft Security Essentials is automatically downloaded via Windows Update, if an antivirus product is not detected on the system. On Windows 8/8.1, it’s known as Windows Defender and is included out of the box.

#4 – Computer Peeps Have Found MSE Does Not Work

The Computer Peeps manage hundreds of systems for consignment and resale stores all across North America. We are directly responsible for keeping computers clean, protected, and available; computers which store employees utilize to search the Web for pricing, browse Facebook, sell on eBay, check email, etc. i.e. Computers that are a high-risk for getting infected.

We regularly work on systems that are utilizing the all-too-common (yet ineffective) Chrome + MSE combo:

In five years of managing, maintaining, and securing systems for consignment and resale store owners, The Computer Peeps have not seen a worse or less-effective antivirus solution than Microsoft Security Essentials.

[hr]

#5 – MSE Is Not PCI Compliant

Last but not least, MSE is not PCI Compliant. First, it’s simply not considered antivirus by multiple, independent testing authorities.

Second, Microsoft recommends utilizing an actual antivirus product, further reinforcing that MSE is not antivirus.

Third, MSE does not have the ability to retain its log files for 365 days (required as per the PCI DSS, Requirements 5.2d and 10.7):

This isn’t a matter of opinion or “We like pepperoni pizza vs. cheese pizza – so should you!” It’s just really simple – MSE doesn’t work, it is not considered antivirus, Microsoft recommends not utilizing it, and multiple antivirus testing firms have found MSE cannot compete against even the worst antivirus program.

So please, if your tech or vendor recommends or implements MSE, stop them and ask them to remove it. Then, ask them to install and configure a viable antivirus solution. MSE is free and it helps avoid the topic of money – yes, viable antivirus costs money + time to configure. Would you rather avoid the topic, or would you rather spend $57 for a viable antivirus solution?

AOL is reporting a massive data breach which affects a “significant amount of users”. AOL is recommending users change their passwords immediately.

According to AOL’s Security Team:

This information included AOL users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly 2% of our email accounts.

If you utilize AOL for your consignment software’s email functionality, or for your personal email, please be sure to change your password right away.

We’d like to see as many consignment and resale stores start 2014 out on the right foot. It is not an impossible task to better-secure your systems and while there is no silver-bullet, it’s a relatively straight-forward set of tools that can drastically help secure your systems. After all, if your computers aren’t cooperating, it can have a major impact on your business.

[hr]

OpenDNS

Consignment and resale shops spend a lot of time online searching for pricing and pictures, as well as working on social media. This puts consignment stores at the front-line of where malware and unwanted software can make its way into your systems.

OpenDNS is a service that provides web filtering, which helps prevent bad or unwanted websites from being accessed by employees. From malware after searching for “free image editing software” to browser infections/search redirects, one of the first places that should be filtered are the websites your computers can access.

In addition to blocking known-malware sites, adult content sites, etc. OpenDNS also lets you block or allow specific websites, as well as view reports of your store’s Internet and search activity.

Once you have registered for an OpenDNS account, all you’ll need to do is update your router’s DNS Servers.

[hr]

Firefox

The *thing* you browse the web with is commonly referred to as a Web Browser. On Windows-based computers, Internet Explorer is the default/included browser. On Macs, Safari is the default browser. You do not have to use the included browser and you can generally have a safer browsing experience by switching browsers.

Two popular alternatives are Firefox and Google Chrome. While we utilize each browser for a variety of purposes, we typically recommend Firefox to our clients. Installing an alternative web browser alone, is not enough to make browsing online safer. We work with a lot of clients whose browsers are infected with search redirects and other hijacks, yet they felt they were protected from this simply by using Firefox or Chrome.

We feel we can better-secure our clients systems with Firefox. With Firefox, along with the plugins we outline below (i.e. NoScript, AdBlock Plus & Public Fox), you can establish a first-line of defense as you browse the wild wild web.

Firefox is free and open source. Once installed, we also recommend enabling Do Not Track.

[hr]

NoScript

When you click a link and visit a website, by default, that website can do quite a bit of things – all without you knowing. It’s sort of like letting anyone just come in to your house and start going through your things. Better is it to take the approach that no website is trusted and only those on your Allowed list can load.

NoScript makes this process very easy, providing you with a quick ‘Allow’ of a website you trust and plan on visiting more than once. NoScript also does a great job of picking-out the other 3rd party websites that are loading in the background, as well as other types of active content which can harm your computer.

Of all the ways to block things such as Javascript, Flash, and hidden content, we feel NoScript is the best way to control your web browsing experience. NoScript is one of the most effective tools at stopping *crap* from making is way into your computers in the first place.

[hr]

AdBlock Plus

Ads are not only a visual annoyance, they are a common source of malware. Even popular, trusted websites can have compromised ads which can load malware and malicious content on unsuspecting users’ systems.

We love AdBlock Plus. Combined with NoScript, you can have a safe, controlled, clean web browsing experience and help keep your systems clean long before malware even has a chance to run.

Once installed, be sure to enable AdBlock Plus’ anti-malware features, as well as disable the ‘Allow some un-intrusive ads’ option.

[hr]

Public Fox

Now that you have your Firefox installation secured and configured to your liking, wouldn’t it be nice if you could protect those settings from being changed?

With Public Fox you can. Public Fox essentially treats the web browser as though it’s in-use on a ‘public’ computer. You can password protect your Options and block downloads.

By no means is this alone meant to be a way of protecting a system, but Public Fox can help curb unwanted changes and downloads to your systems.

[hr]

Non-Admin User Accounts

By default, when you purchase a Windows-based computer, the only user account will have full Administrator access. If you do not configure at least one user account for yourself and/or the store, you’re granting full control of your computer to your employees and whatever they might stumble upon out there on the web.

It is best-practice to not utilize a full admin account and instead, log in with a Standard User/restricted account. This can help prevent major changes to your systems, such as installing/uninstalling software.

We also recommend taking this one step further and on Professional versions of Windows, configuring Group Policy to lock-down additional aspects of the system – e.g. prevent printers from being deleted, etc.

[hr]

Patch Management

With many systems using default configurations @ Administrator accounts, Internet Explorer, and no antivirus, computers without Patch Management are just sitting ducks.

Security holes in commonly used programs such as Adobe Reader, Adobe Flash, and Java are frequently and actively exploited. These programs do not automatically update and regularly require user intervention to make sure they are updated + system rebooted. With even two computers in a consignment shop, just keeping programs patched and updated can quickly become a challenge.

Emails with fake PDFs or Word Docs are commonly the source of these sort of attacks and with many email providers not filtering-out messages like this, un-patched systems are waiting to be compromised.

[hr]

The the combo of OPenDNS + Firefox + NoScript + AdBlock can benefit users of all platforms. Most of what you do is online these days and for many, the web browser is all they use their computer for. Browser infections/hijacks impact users of ALL platforms.

A printer on the vulnerability list is the HP LaserJet Pro P1102w, one of the more common HP printers utilized by businesses.

We are frequently asked to configure WiFi printers, but we are strong opponents to such configurations both for reliability purposes, as well as security issues such as this. We recommend not utilizing WiFi unless absolutely necessary and having a printer connected via WiFi, simply isn’t worth the reliability and vulnerability issues.

It’s Friday, the day after Independence day here in the States. We received an emergency email from a client who is unable to utilize their point of sale system for processing credit cards. All was working properly, until Windstream introduced a new piece of hardware. Where our client once had a modem, they now have an all-in-one gateway.

When accessing systems directly via UNC path, the systems are taking over a minute to respond. Applications that communicate with the Internet, are failing to connect. Connections are timing-out.

Oh, Windstream also enabled WiFi for the store – how nice of them!

When we called the tech who performed this installation, we were quite surprised to hear the response of, “Man, we do this all the time!” Instead of, “Oh, well, yeah, I see how after I added a new Layer 3 device, the network is probably going bonkers now.” No accountability. When I mentioned the other router, his response was, “How was I supposed to know?” Because it was right there in front of you.

This isn’t just an innocent mistake or little slip-up. Mistakes happen, settings can be overlooked, etc. This wasn’t the case. The, “we do this all the time” response and lack of understanding how their change could cause issues, make that clear.

This tech didn’t like being called by some out-of-towner giving him an earful on a Friday. Windstream techs and field techs out there, please, just show an ounce of pride in your work. It’s businesses like our client, whose systems go down on a holiday weekend while you just get to “close another ticket.”

The scariest part is thinking about how many service providers out there just implement default installations, because “we do this all the time!”

Securing consignment systems involves more than just installing free antivirus software and hoping all goes well. Antivirus alone isn’t enough when it comes to securing or ‘hardening’ a consignment system. For this first and most-basic layer of protection, we recommend ESET Nod32 Antivirus.

Don’t just download and install Nod32 and think all is well, oh no. Please take the time to configure ESET, from logging of all objects, to storing logs for 365 days; to enabling the appropriate modules, to password protecting settings.

You can’t stop at just antivirus.

The user you log in to Windows as should not be an Administrator. Configure a restricted account and appropriately configure your Windows NTFS Permissions to allow your consignment software and other applications to run. Harden your operating system – e.g. disable hidden admin shares, configure Group Policy, etc.

That’s still not enough.

We recommend utilizing Firefox, not Chrome or Internet Explorer. Chrome relies on Internet Explorer’s settings, so if those settings are ever targeted and compromised, Chrome is also infected. For Firefox, implement the following add-ons: NoScript, AdBlock, and Public Fox. The final of those, providing you with a way to password protect your settings, block downloads, and prevent browsing history from being cleared.

Implement the built-in web filtering + monitoring service within Windows known as Parental Controls. This involves installing the Family Safety pack and registering for a Windows Live account. Once implemented, you can view all web activity, block sites, and prevent malicious content from being accessed.

That’s still not enough though.

Implement a new set of DNS servers at your Internet gateway. Comodo is a bit strict, but for a consignment store actively browsing the Internet, strict is good. OpenDNS is also great for catching malicious domains and content.

It can keep going from there too. If you have Adobe Reader, Adobe Flash, Java, etc. installed, Patch Management really is the only way to keep those programs updated 24 hours a day.

The PCI DSS Guide outlines 12 Requirements that any business which processes credit cards, must adhere to. The first two PCI DSS Requirements fall under the grouping Build and Maintain a Secure Network:

Any non-console admin access (i.e. remote access) should be encrypted (e.g. TeamViewer or LogMeIn, not RDP or VNC)

No cardholder data should enter a shared hosting environment and any portion of shared hosting involved in cardholder data should be reviewed for PCI-DSS

[/checklist]

[/box]

This first set of requirements attempts to establish a basic set of security measures, from a firewall, to changing/disabling vendor-default passwords. Make sure you have a physical, hardware firewall in-place. Create a diagram of your network so you can clearly see every device and the routes between each device.

Be sure to configure your systems in such a way that users cannot modify settings. Also, do not discuss your network setup, logins, and security measures with anyone.

The PCI DSS also recommends only implementing one ‘role’ per server – e.g. MS SQL Server – as well as to run a clean system, free of unnecessary software – i.e. a clean installation of the operating system. Be sure to document each program that is installed and be able to justify its use.

Another important item, is to ensure that any remote connections to the server are encrypted.

And finally, if you (or your vendor) utilize shared hosting, no cardholder data can be stored on that server.